// -*- IDL -*-

//=============================================================================
/**
 *  @file   CSI.idl
 *
 *  @author Object Management Group
 */
//=============================================================================


#ifndef _CSI_IDL_
#define _CSI_IDL_

#include "tao/IOP.pidl"

module IOP
{
  const ServiceId SecurityAttributeService = 15;
};

module CSI {
  typeprefix CSI "omg.org";

  // The OMG VMCID; same value as CORBA::OMGVMCID. Do not change ever.
  const unsigned long OMGVMCID = 0x4F4D0;

  // An X509CertificateChain contains an ASN.1 BER encoded SEQUENCE
  // [1..MAX] OF X.509 certificates encapsulated in a sequence of octets. The
  // subject's certificate shall come first in the list. Each following
  // certificate shall directly certify the one preceding it. The ASN.1
  // representation of Certificate is as defined in [IETF RFC 2459].
  typedef sequence <octet> X509CertificateChain;

  // an X.501 type name or Distinguished Name encapsulated in a sequence of
  // octets containing the ASN.1 encoding.
  typedef sequence <octet> X501DistinguishedName;

  // UTF-8 Encoding of String
  typedef sequence <octet> UTF8String;

  // ASN.1 Encoding of an OBJECT IDENTIFIER
  typedef sequence <octet> OID;
  typedef sequence <OID> OIDList;

  // A sequence of octets containing a GSStoken. Initial context tokens are
  // ASN.1 encoded as defined in [IETF RFC 2743] Section 3.1,
  // "Mechanism-Independent token Format", pp. 81-82. Initial context tokens
  // contain an ASN.1 tag followed by a token length, a mechanism identifier,
  // and a mechanism-specific token (i.e. a GSSUP::InitialContextToken). The
  // encoding of all other GSS tokens (e.g. error tokens and final context
  // tokens) is mechanism dependent.
  typedef sequence <octet> GSSToken;

  // An encoding of a GSS Mechanism-Independent Exported Name Object as
  // defined in [IETF RFC 2743] Section 3.2, "GSS Mechanism-Independent
  // Exported Name Object Format," p. 84.
  typedef sequence <octet> GSS_NT_ExportedName;
  typedef sequence <GSS_NT_ExportedName> GSS_NT_ExportedNameList;

  // The MsgType enumeration defines the complete set of service context
  // message types used by the CSI context management protocols, including
  // those message types pertaining only to the stateful application of the
  // protocols (to insure proper alignment of the identifiers between
  // stateless and stateful implementations). Specifically, the
  // MTMessageInContext is not sent by stateless clients (although it may
  // be received by stateless targets).
  typedef short MsgType;

  const MsgType MTEstablishContext = 0;
  const MsgType MTCompleteEstablishContext = 1;
  const MsgType MTContextError = 4;
  const MsgType MTMessageInContext = 5;

  // The ContextId type is used carry session identifiers. A stateless
  // application of the service context protocol is indicated by a session
  // identifier value of 0.
  typedef unsigned long long ContextId;

  // The AuthorizationElementType defines the contents and encoding of
  // the_element field of the AuthorizationElement.
  // The high order 20-bits of each AuthorizationElementType constant
  // shall contain the Vendor Minor Codeset ID (VMCID) of the
  // organization that defined the element type. The low order 12 bits
  // shall contain the organization-scoped element type identifier. The
  // high-order 20 bits of all element types defined by the OMG shall
  // contain the VMCID allocated to the OMG (that is, 0x4F4D0).
  typedef unsigned long AuthorizationElementType;

  // An AuthorizationElementType of X509AttributeCertChain indicates
  // that the_element field of the AuthorizationElement contains an
  // ASN.1 BER SEQUENCE composed of an (X.509) AttributeCertificate
  // followed by a SEQUENCE OF (X.509) Certificate. The two-part
  // SEQUENCE is encapsulated in an octet stream. The chain of
  // identity certificates is provided to certify the attribute
  // certificate. Each certificate in the chain shall directly certify
  // the one preceding it. The first certificate in the chain shall
  // certify the attribute certificate. The ASN.1 representation of
  // (X.509) Certificate is as defined in [IETF RFC 2459]. The ASN.1
  // representation of (X.509) AttributeCertificate is as defined in
  // [IETF ID PKIXAC].
  const AuthorizationElementType X509AttributeCertChain = OMGVMCID | 1;

  typedef sequence <octet> AuthorizationElementContents;

  // The AuthorizationElement contains one element of an authorization token.
  // Each element of an authorization token is logically a PAC.
  struct AuthorizationElement {
    AuthorizationElementType the_type;
    AuthorizationElementContents the_element;
  };

  // The AuthorizationToken is made up of a sequence of
  // AuthorizationElements
  typedef sequence <AuthorizationElement> AuthorizationToken;
  typedef unsigned long IdentityTokenType;

  // Additional standard identity token types shall only be defined by the
  // OMG. All IdentityTokenType constants shall be a power of 2.
  const IdentityTokenType ITTAbsent = 0;
  const IdentityTokenType ITTAnonymous = 1;
  const IdentityTokenType ITTPrincipalName = 2;
  const IdentityTokenType ITTX509CertChain = 4;
  const IdentityTokenType ITTDistinguishedName = 8;

  typedef sequence <octet> IdentityExtension;

  union IdentityToken switch ( IdentityTokenType ) {
    case ITTAbsent: boolean absent;
    case ITTAnonymous: boolean anonymous;
    case ITTPrincipalName: GSS_NT_ExportedName principal_name;
    case ITTX509CertChain: X509CertificateChain certificate_chain;
    case ITTDistinguishedName: X501DistinguishedName dn;
    default: IdentityExtension id;
  };

  struct EstablishContext {
    ContextId client_context_id;
    AuthorizationToken authorization_token;
    IdentityToken identity_token;
    GSSToken client_authentication_token;
  };

  struct CompleteEstablishContext {
    ContextId client_context_id;
    boolean context_stateful;
    GSSToken final_context_token;
  };

  struct ContextError {
    ContextId client_context_id;
    long major_status;
    long minor_status;
    GSSToken error_token;
  };

  // Not sent by stateless clients. If received by a stateless server, a
  // ContextError message should be returned, indicating the session does
  // not exist.
  struct MessageInContext {
    ContextId client_context_id;
    boolean discard_context;
  };

  union SASContextBody switch ( MsgType ) {
    case MTEstablishContext: EstablishContext establish_msg;
    case MTCompleteEstablishContext: CompleteEstablishContext
                                     complete_msg;
    case MTContextError: ContextError error_msg;
    case MTMessageInContext: MessageInContext in_context_msg;
  };

  // The following type represents the string representation of an ASN.1
  // OBJECT IDENTIFIER (OID). OIDs are represented by the string "oid:"
  // followed by the integer base 10 representation of the OID separated
  // by dots. For example, the OID corresponding to the OMG is represented
  // as: "oid:2.23.130"
  typedef string StringOID;

  // The GSS Object Identifier for the KRB5 mechanism is:
  // { iso(1) member-body(2) United States(840) mit(113554) infosys(1)
  // gssapi(2) krb5(2) }
  const StringOID KRB5MechOID = "oid:1.2.840.113554.1.2.2";

  // The GSS Object Identifier for name objects of the Mechanism-independent
  // Exported Name Object type is:
  // { iso(1) org(3) dod(6) internet(1) security(5) nametypes(6)
  // gss-api-exported-name(4) }
  const StringOID GSS_NT_Export_Name_OID = "oid:1.3.6.1.5.6.4";

  // The GSS Object Identifier for the scoped-username name form is:
  // { iso-itu-t (2) international-organization (23) omg (130) security (1)
  // naming (2) scoped-username(1) }
  const StringOID GSS_NT_Scoped_Username_OID = "oid:2.23.130.1.2.1";

}; // CSI

#endif
